I track people who are disrupting the world of mobile technology. Non-conformists, innovators and agitators are this blog's unsung heroes, from entrepreneurs to scientists, to rebellious hackers. I'm the author of "We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency", (Little Brown, 2012) which The New York Times called a "lively, startling book that reads as 'The Social Network' for group hackers." I recently relocated to Forbes' San Francisco office, and was previously Forbes' London bureau chief from 2008-12, interviewing British billionaires like Philip Green and controversial figures like Mohammed Al Fayed; I wrote last year's billionaires cover story on Russia's Yuri Milner, and have broken stories like the Facebook-Spotify partnership in 2011. Before all this I had stints at the BBC and as a radio journalist. You can watch me on 'The Daily Show' here. If you have a story idea or tip, e-mail me at polson@forbes.com or follow me on Twitter: parmy.

It was a Sunday afternoon in August 2012 and Gert-Jan Schenk, the European head of cyber security giant McAfee, had just arrived home from summer vacation.

As he busied himself with unpacking luggage, Schenk’s mobile phone rang, displaying an unfamiliar number. The father of two had his hands full with bags and kids, so he let it go to voicemail. Then the number rang again, and then a third time, before Schenk finally put his things down and answered the phone.

To Schenk’s surprise, the person on the line was the chief information officer of the world’s biggest oil company. And he sounded worried.

“We need your help. We’re under attack,” the executive said. “Something is happening in our environment, and we haven’t seen it before.”

Knowing the situation was serious, Schenk called a McAfee director in the United States responsible for forensic IT services, who then mobilized 25 of the company’s best forensics experts around the world. McAfee flew its experts from the U.S., Germany, Britain and elsewhere, to the site of McAfee’s client in the Middle East.

The moment the forensics team arrived, a “time bomb” went off. More than 30,000 of the client’s PCs and 1,000 servers went to blue screen.

“We couldn’t repair them anymore,” Schenk remembers. “We had to rebuild that whole environment from the ground up.”

Schenk wouldn’t name the client he had been talking to, but it has since been widely reported that a computer virus had hit state-run Saudi Aramco in August, and disabled 30,000 of its computers.

Schenk was among the first to be made aware of the malware before it was given a fancy name, Shamoon, a virus that was announced around August 16 and appeared to be designed to spy on and disrupt energy companies.

The attack on Saudi Aramco saw critical data on its PCs replaced with the image of a burning American flag, according to the New York Times. Was that a calling card for hacktivists, or an attempt to throw investigators off the scent of the real attackers and their motivations?

That still is unclear, but Schenk says the attack on his client was so serious, that if its critical, industrial control (or SCADA) systems had been hit, “more than 30% of the Gulf’s oil supply would have stopped.”

“Luckily enough they had good systems in place,” Schenk said on the sidelines of the McAfee security conference in London on Thursday, and the virus only got as far as the company’s business systems.

But Schenk also got another surprise. Within a week of hearing about the first client’s troubles, another Middle Eastern oil major, reportedly the Qatari natural gas company RasGas, was hit by the same virus.

“This was not malware that was developed for multiple countries. This was malware specifically designed to hit one company… We hadn’t seen anything at this scale before, and then we saw it twice in one week.” The second attack, in other words, was no coincidence.

After the Saudi Aramco and RasGas attacks hit the news in August, American officials went on to hint that they had been state-sponsored, with several reports citing speculation that Shamoon had come from Iran. After the attack, however, a self-proclaimed hacktivist group called the Cutting Sword of Justice claimed responsibility, saying they were protesting Saudi government actions. Schenk refuses to say where he believes the virus came from.

Whatever the original cause, the attack itself is being treated as a landmark in discussions about cyber warfare and what further similar incidents might look like. Leon Panetta, the U.S. defence secretary, name checked the virus in October 2012 during his startling address about the risk of a co-ordinated digital attack that could lead to a “cyber Pearl Harbor.” The former head of the CIA added that the world was facing a “pre-9/11″ moment for cyber security.

McAfee's EMEA president Gert-Jan "G.J." Schenk

Schenk also doesn’t mince his words when he talks about the future. He believes it’s highly likely that the Shamoon virus spread with help from inside each company, and that threats from the inside of a network can be all the more prevalent thanks to social engineering. This refers to the art of manipulation through social media, real time chat or e-mail, which has become popularized by pranksters in online subcultures like Anonymous or on image boards.

The idea is that once an attacker can gain the trust of a staffer within a company’s network, they can know the organization well enough to design a specific form of malware that will spread from the inside, says Schenk.

He says the Shamoon scenario could repeat again with financial companies. “If this would happen to the three biggest banks in the U.K., all of their systems went down, all of their servers went down, [it would] mean that people can’t see their bank account online anymore, so they don’t know whether or not they still have money anymore. All the ATMs have a blue screen,” he continued.

“Can you imagine what will happen after the fifth day, how people would feel if they can’t get access to money or pay for anything? That’s going to [lead to] riots. People will start to fight because that is really about food, that is about survival.”

Schenk’s nightmarish scenario might sound overblown, but he says it’s based on what he saw first hand this summer, a well-planned attack that came out of the blue, right after people’s summer holidays: “Since this summer, it can happen. We hadn’t seen anything that just destroyed the whole environment, at this scale. And we’d seen it twice in the same week.”

He says McAfee is now bolstering staff at its cyber defence center in the Middle East, with operations in Riyad and Dubai. “Generally speaking attacks are coming from emerging countries,” he says, and while some are state sponsored, plenty are between rival corporations.

Dealing with and preparing for such attacks requires a check on your “security posture,” he adds, and becoming aware of any unusual activity transmitting through a network’s open ports by a unfamiliar IP address.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

I know there are companies out there that have ignored information security for so long that there’s no hope. Of course those companies are hard for hackers these days, mostly because their equipment is so old, nobody knows what to do with it. The next question is how’s their recovery procedures and are they intergrated with their Security. Over the years I’ve seen a lot of companies that dealt with them seperately and recovery was ready for everything except for something like this and security was prepared to defend the system except if part had to be brought up somewhere else.